DataFence directly or partially addresses 22 CMMC / NIST 800-171 controls at the browser — controlling CUI in uploads, logging activity, and enforcing egress — and produces the objective evidence a C3PAO assessment needs. It supports FCI / Level 1 safeguarding; it does not confer certification.
22
controls with direct or partial coverage
FCI / L1
safeguarding supported
Real-time
browser-upload egress control
Without CMMC certification, defense contractors lose access to DoD contracts worth billions
2025
CMMC 2.0 phasing into DoD contracts
$700B+ Market
Annual DoD contract value at stake
3X
Damages for compliance failures
Zero Tolerance
For CUI mishandling incidents
How DataFence's browser-egress controls map to specific NIST 800-171 / CMMC requirements
While manual processes and point solutions leave gaps, DataFence directly or partially addresses specific browser-egress controls and produces continuous, assessment-ready evidence.
Browser CUI Control
Warn or block sensitive uploads before they leave the browser
Audit Logging: Built-In
Every action logged with user attribution
Evidence Collection: Continuous
Assessment-ready reports on demand
Scope:
DataFence covers the browser-egress vector and produces objective assessment evidence. It is not CMMC-certified and does not replace a C3PAO assessment of your full environment.
Access Control
AC Domain
Audit & Accountability
AU Domain
Configuration Mgmt
CM Domain
System Protection
SC Domain
System Integrity
SI Domain
How DataFence's browser-egress capabilities map to specific CMMC / NIST 800-171 controls — and where the customer's environment carries the rest
Within its browser-egress scope, DataFence directly or partially addresses 22 of the 110 NIST 800-171 controls and produces objective evidence for them. The remaining controls belong to your broader environment. A C3PAO assesses that whole environment — no tool banks SPRS points on your behalf.
| Coverage | Controls |
|---|---|
| Directly enforces DataFence performs the control (browser-egress scope) |
9 |
| Partially enforces / provides evidence Covers part of the control or supplies assessment evidence |
13 |
| Total addressed by DataFence | 22 |
| Customer-owned (remaining environment) | 88 |
Scope of these grades. Coverage below reflects DataFence's browser-egress scope only — the point where employees upload files or submit forms in the browser. It does not cover other CUI vectors (email clients, USB, endpoint files, network shares) or data at rest, and it is not a FedRAMP-Moderate–equivalent authorization for processing CUI. A C3PAO assesses your entire environment against all applicable controls; DataFence supplies enforcement and evidence for its portion. Free-text personal-name detection is ~80% on independent data, and FIPS-validated cryptography applies to the transmission leg.
| Control ID | Control Name | DataFence Implementation | Coverage |
|---|---|---|---|
| Access Control (AC) | |||
| AC.L2-3.1.3 | Control CUI Flow | Partially — warns or blocks CUI leaving via browser uploads; other CUI vectors and data at rest are out of scope | |
| AC.L1-3.1.20 | External Connections | Restricts/monitors outbound uploads to external systems | |
| AC.L1-3.1.22 | Publicly Accessible Content | Blocks or warns before CUI is posted to publicly accessible cloud systems | |
| Audit & Accountability (AU) | |||
| AU.L2-3.3.1 | System Auditing | All browser actions (allow/warn/block) logged with user attribution | |
| AU.L2-3.3.2 | User Accountability | Logs tied to user email/client ID | |
| AU.L2-3.3.5 | Audit Correlation | Centralized logs feed SIEM for incident correlation | |
| AU.L2-3.3.8 | Audit Protection | Supporting: logs protected in backend DB with limited admin control | |
| Configuration Management (CM) | |||
| CM.L2-3.4.8 | Application Execution Policy | Enforces blacklist/whitelist on uploads | |
| CM.L2-3.4.9 | User-Installed Software | Controls data exfiltration via shadow IT apps | |
| System & Communications Protection (SC) | |||
| SC.L1-3.13.1 | Boundary Protection | Intercepts communications leaving browser endpoints | |
| SC.L2-3.13.6 | Network Communication by Exception | Domain allow/block lists enforce deny-all approach | |
| SC.L2-3.13.8 | Data in Transit | Ensures HTTPS uploads, blocks insecure transfers | |
| System & Information Integrity (SI) | |||
| SI.L1-3.14.2 | Malicious Code Protection | Scans uploads for risky content before submission | |
| SI.L1-3.14.5 | System & File Scanning | Real-time scanning of every upload | |
| SI.L2-3.14.6 | Monitor Communications for Attacks | Detects exfiltration attempts via browser | |
| SI.L2-3.14.7 | Identify Unauthorized Use | Policy violations expose system misuse | |
| Partial Coverage - Supporting Controls | |||
| IR.L2-3.6.1 | Incident Handling | Provides logs/alerts for IR team | |
| IR.L2-3.6.2 | Incident Reporting | Evidence collection for reporting | |
| RA.L2-3.11.1 | Risk Assessments | Violation analytics provide risk data | |
| RA.L2-3.11.2 | Vulnerability Scan | Identifies shadow IT risks | |
| CA.L2-3.12.1 | Security Control Assessment | Reports feed into assessments | |
| CA.L2-3.12.4 | System Security Plan | Evidence/logs for SSP documentation | |
DataFence produces continuous, assessment-ready evidence and enforcement for 22 CMMC / NIST 800-171 controls within its browser-egress scope
controls addressed
Directly or partially, within browser-egress scope
browser CUI control
Uploads & form submissions inspected before they leave
Continuous compliance
Real-time enforcement & logging
Everything you need to know about CMMC certification and requirements
Important: DataFence is a browser-based data-loss-prevention tool. It is not CMMC-certified and does not confer CMMC certification — a C3PAO assesses your organization's entire environment against all applicable controls. DataFence directly or partially enforces, and produces evidence for, specific controls within its browser-egress scope; it does not cover other CUI vectors (email, USB, endpoint files, network shares) or data at rest. Routing CUI through an external cloud service requires that service to meet FedRAMP Moderate–equivalent requirements under DFARS 252.204-7012 (including the 7012 incident-reporting flowdowns and FIPS-validated cryptography); DataFence has not been 3PAO-assessed to that baseline. Scope CUI accordingly and confirm control applicability with your C3PAO or CMMC counsel before relying on any statement here in an SSP, SPRS submission, or contract.
Deploy DataFence to control browser CUI egress and start generating assessment-ready evidence for specific CMMC controls
Deploy in hours
Real-time browser CUI control
Assessment ready